[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Hacked Into
- Subject: Re: [cobalt-users] Hacked Into
- From: Marco Baurdoux <linux@xxxxxxxxxxxxx>
- Date: Sun Sep 16 20:21:23 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Are the three IP from the same class ??
Carefully check your /var/log/xferlog
more /var/log/xferlog | grep ip_address_to_search
This will tell you if they came in via FTP
more /var/log/messages |grep ip_address_to_search
This will tell you if they used SSH or Telnet services to come in.
All of this of course if they didn't erase the log files. Like I always do
when I manage to get in :-)) ( but of course I never get in !!! )
le 17.9.2001 12:20, almax@xxxxxxxxxxxxxxx à almax@xxxxxxxxxxxxxxx a écrit :
>
> Marco
>
> The attacks appear to have come from 3 different IP's when we went through the
> server logs. I am now investigating how the file got in there.
>
> Thanks
>
> Simon
>> Hi Simon,
>> If the attacks come from the same IP al the time you should check how they
>> get the files on your system, if it is via FTP, you can use the inetd
>> service to block this particular address, therefore consult the man pages
>> for the host.allow and host.deny files.
>>
>>
>> le 17.9.2001 11:30, almax@xxxxxxxxxxxxxxx à almax@xxxxxxxxxxxxxxx a écrit :
>>
>>> Back from holiday, server hacked, oh joy.
>>>
>>> It appears that somebody randomly whoised a domain on one of our servers and
>>> uploaded a 100mb file by the name of french-porn.dvd.divx.avi and then set
>>> servers wgetting it, eating up 9gb of bandwidth in little over 8 hours.
>>> Luckily this happened the day before I returned and so I managed to delete
>>> the
>>> file, grab IP's from the server logs and as I thought, stop the leak.
>>>
>>> However, came in today and find that a 1.5gb file beautifulgirls.tar has
>>> suddenly appeared once again in the web folder and another 1.3gb of transfer
>>> has disappeared. I suspect we are being used by a porn site who are happy
>>> to
>>> have found a fast web server. What worries me is that I have applied every
>>> single security update from Cobalt as soon as they have come out.
>>>
>>> Does anyone have any info that could help me, ie programs to make the RaQ4i
>>> more secure. I don't believe they have access to the server as everything
>>> is
>>> just going to this one domain, which I have now removed from the server and
>>> it
>>> will remain to be seen if files start appearing in the other domains. I do
>>> not know if there are ways to hack into the web domain of the server and put
>>> the files in.
>>>
>>> I am the only user on the whole of the RaQ and therefore, I do not believe
>>> it
>>> is a case of an "inside job" or users on other domains somehow gaining
>>> access.
>>>
>>> Any help would be most appreciated.
>>>
>>> Thanks
>>>
>>> Simon
>>>
>>> _______________________________________________
>>> cobalt-users mailing list
>>> cobalt-users@xxxxxxxxxxxxxxx
>>> To Subscribe or Unsubscribe, please go to:
>>> <a
>>> href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-user
>>> s" target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>
>>
>> =======================================================================
>>
>> Marco Baurdoux
>> Unix Administrator
>> Infomaniak Network SA
>> Avenue de la Praille 26
>> 1227 Carouge
>> Switzerland
>> Tel: 41 (0)22 820 35 41
>> Fax: 41 (0)22 820 35 46
>> <a href="/bti/redirect.html?http://web.infomaniak.ch";
>> target="newLink">http://web.infomaniak.ch</a>
>>
>> =======================================================================
>>
>>
>>
>> _______________________________________________
>> cobalt-users mailing list
>> cobalt-users@xxxxxxxxxxxxxxx
>> To Subscribe or Unsubscribe, please go to:
>> <a
>> href="/bti/redirect.html?http://list.cobalt.com/mailman/listinfo/cobalt-users
>> " target="newLink">http://list.cobalt.com/mailman/listinfo/cobalt-users</a>
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
=======================================================================
Marco Baurdoux
Unix Administrator
Infomaniak Network SA
Avenue de la Praille 26
1227 Carouge
Switzerland
Tel: +41 (0)22 820 35 41
Fax: +41 (0)22 820 35 46
http://web.infomaniak.ch
=======================================================================